VYPR

your_spotify

by Yooooomi

CVEs (5)

  • CVE-2024-28194CriMar 13, 2024
    risk 0.59cvss 9.1epss 0.01

    your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This…

  • CVE-2024-28193MedMar 13, 2024
    risk 0.42cvss 6.5epss 0.01

    your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint…

  • CVE-2024-28196MedMar 13, 2024
    risk 0.42cvss 6.5epss 0.00

    your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger…

  • CVE-2024-28192MedMar 13, 2024
    risk 0.34cvss 5.3epss 0.01

    your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 is vulnerable to NoSQL injection in the public access token processing logic. Attackers can fully bypass the public token authentication mechanism, regardless if a public token has…

  • CVE-2024-28195HigMar 13, 2024
    risk 0.00cvss 8.1epss 0.00

    your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or…